Scramble that data!
It seems like every article about data storage encryption starts by rehashing high-profile screw-ups where a tape containing a million credit card numbers bounced off a delivery truck or disappeared off the loading dock. You know the stories by now and more than a few of you probably thought, "Jeez, that's how we handle tapes." If you think that kind of thing only happens to the "other guy," think again. Maybe you're the other guy.
The benefits are clear: Lose an encrypted tape, you lose nothing; lose a tape whose bits haven't been scrambled and the implications are endless.
So why aren't you encrypting your tapes? In Storage's Spring 2007 Purchasing Intentions survey, 55% of respondents said they hadn't deployed storage security. Those respondents who were encrypting fell into three camps--those using appliances, backup software and array-based security--with a smaller contingent using the relatively new tape drive encryption technology. That was last spring, you say, so it's almost ancient history, right? In our most recent Purchasing Intentions survey, the number of respondents not encrypting was worse.
There are two main reasons for not encrypting: money and key management. They're pretty good reasons, but you'll have to find a way around them if you're serious about safeguarding your data. Encryption isn't free, regardless of how you implement it. Even if you use your current backup app to do the encryption, it's likely to be an additional cost option. Justifying the cost can be tough, just as spending for disaster recovery can be a hard sell. And deploying encryption is more on the order of disaster avoidance (DA), which is an even tougher concept to justify to those who hold the purse strings.
How do you get your bosses to swallow a sizable dose of preventive medicine? You have to lay out a solid case for the cost of the risk involved in having unencrypted tapes going offsite. Confidential customer or employee data in the wrong hands can be a huge liability, so you might check with your legal folks to build some "what-if" scenarios that describe possible consequences. That should help put a dollar figure on not taking action.
Encryption itself, if you don't delve into its underpinnings, is fairly straightforward stuff, but keeping track of encryption keys can be cumbersome or downright confusing; not the kind of stuff any sane storage manager would add to an already complex environment. The number of different methods and architectures security vendors use for key management only compounds the confusion.
The solution may be as simple as knocking on the door of your company's network security crew. You might not understand all of their lingo, but they probably don't speak storage either, so you'll be on an equal footing. The security guys have been there and done that, as far as key management goes, and they're probably your best resource as you sift through the various encryption alternatives. You might even find a storage encryption product that uses the same key management scheme the network security gang is already using.
Even if you can get over the cost justification and key management hurdles, you're still not home free. Encryption will have an effect--maybe a profound one--on other storage management processes. At a minimum, it's another piece of software or hardware that will have to be monitored, managed, configured and so on. And it will likely have an impact on things you're doing today and may take for granted, like data compression. Because encrypted data can't be compressed, you may have to retool your compression process.
Kind of a bleak picture, huh? But think how bleak things might be if you simply sit back and let your company get caught with its tapes down.